Date: Mon, 20 Nov 2000 20:25:14 +0100 From: Mark Lastdrager <mark@PINE.NL> Subject: security problem in AdCycle installation To: BUGTRAQ@SECURITYFOCUS.COM (resubmitting because it's not clear if the last try survived through some ORBS filters) Hi, "The Pike" (thepike@hotmail.com) pointed us at a problem in the AdCycle banner management system. When the installation of AdCycle is not completed carefully, a malicious user may be able to obtain the management username/password. Adcycle is a banner management system which is written in Perl and uses MySQL for data storage. Installation is done by editing AdConfig.pm, creating a Mysql user/password/database and then running the build.cgi script. That script checks if the database connection is working (showing the username/password it reads from AdConfig.pm) and creating the tables within the database. The 'exploit' is quite simple: when the build.cgi remains executable for your httpd process after the installation, every internet user can view the output of it, including your manager password and database password. Attackers can delete, change and add banner campaigns. Another big problem is when build.cgi is called from a webbrowser, the AdCycle tables are dropped so all bannercampaigns are lost. FIX: The installation instructions say you should set the build.cgi permissions to 750. That will prevent some problems ofcourse, but is far from totally secure. When the owner of the scripts for example has the same gid as the httpd process, build.cgi is still executable for the evil outside world. I think everyone should remove all bits from build.cgi after a succesful install, or even completely remove it. Maybe the AdCycle makers planned to put that advice in chapter 12 of the UNIX installation notes, which seems to be missing (see http://www.adcycle.com/help/messages/5/5.html?950947770). I guess a chapter about security would be more than welcome. We decided to publish this advisory instead of informing the author first, because the above information is already out there and being exploited. Besides that, the fix is quite simple (chmod 0 build.cgi) so no need to wait for a patch or new version. Author will be cc'ed on this post ofcourse. Thanks to The Pike for showing how important it is to carefully check all software you install ;-) Mark Lastdrager -- Pine Internet BV :: tel. +31-70-3111010 :: fax. +31-70-3111011 PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1 Today's excuse: Vendor no longer supports the product